Last year we predicted an increase in enforcement activity against companies with allegedly defective cybersecurity practices that fail to protect consumer data against hackers. Our prediction stemmed from a federal appeals court decision upholding the Federal Trade Commission’s authority to pursue regulatory enforcement action against a victim of a major cyber-attack. At the time, we noted that FTC cybersecurity actions relate more to failed promises about security than defects in security itself.
Fast forward to July 2016, when an alarming enforcement threat was included in guidance from the Health & Human Services’ Office for Civil Rights, which enforces the HIPAA Security rule. The new guidance, according to HHS, is “designed to help health care entities better understand and respond to the threat of ransomware.”
But it’s more than that. The unwanted encryption of Personal Health Information following a ransomware attack may be treated by HHS as a HIPAA breach, even when the PHI had already been encrypted by the covered entity to comply with the Security Rule.
How can this be? After all, when it comes to protecting personal information, encryption is good, right?
Yes, encryption is a way to comply with the HIPAA Security Rule’s requirement to limit access to electronic personal health information to only those persons requiring access. Ransomware spreads a second, malevolent encryption, making data useless until the victim pays up for an encryption key, as they often do.
If the goal of encryption is to keep unauthorized users away, redundant encryption, though terrible to deal with, doesn’t seem to increase the likelihood the twice-scrambled data can be exploited.
So how is it a breach?
HHS/OCR says whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination, noting a breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted which . . . compromises the security or privacy of the PHI.”
The guidance says OCR will presume a breach of PHI because the action of the ransomware itself is necessarily an unauthorized “possession or control” of the information and is thus a “disclosure” not permitted under the HIPAA Privacy Rule. The new guidance puts the burden on the covered entity or associated business to conduct a post-attack risk assessment that is thorough, completed in good faith and reaches reasonable conclusions to determine the probability PHI was compromised.
The guidance also outlines numerous possibilities, largely implying that ransomware victims are expected to comply with the applicable breach notification provisions, including to affected individuals, the Secretary of HHS, and the media if the breach affects more than 500 individuals, in accordance with HIPAA breach notification requirements.
Our suggestion: if you are not yet a ransomware victim, make sure your encryption practices related to PHI will assure a low probability of “compromise” in the event of unwelcome encryption by criminals. Unless you are intimately familiar with encryption standards for data at rest, you may need assistance from your IT expert and your lawyer. And, if attacked by a ransomware-wielding criminal, engage counsel immediately because your thorough, good faith and reasonable forensic examination ought to be done by IT experts working with your counsel and protected by attorney client privilege. If your experts determine there has not been a reportable breach, you may have to justify that determination to regulators at HHS/OCR. This could be especially true if the attack on your business has drawn media attention.
Check Your Protection Plan
Whatever your business, if you handle personally identifiable information, credit cards or any other form of electronic payments, especially for consumers, it is critical to review your cybersecurity and privacy policies, in light of your actual business practices.